IMY (Sweden) - DI-2021-6140
IMY - DI-2021-6140 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 12(3) GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 13.05.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | DI-2021-6140 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | IMY (in EN) |
Initial Contributor: | Lauren |
The Swedish DPA held that a controller violated Article 12(3) GDPR by not responding to an Article 15 GDPR access request within the one month time limit. The DPA did not impose a fine and considered this as a minor infringement given the controller had essentially fulfilled other parts of the data access request without undue delay.
English Summary
Facts
The Swedish DPA (IMY) initiated supervision over the controller due to a complaint. The Swedish DPA received the complaint from the DPA of Ireland where the data subject has lodged his complaint. The DPA, acting as Lead supervisory authority, cooperated with other European DPAs (in Germany, Finland, France etc.) to investigate cross-border processing pursuant to Article 56 of the GDPR.
The controller is an automotive company. The data subject claimed it had requested access to his personal data pursuant to Article 15 of the GDPR on March 2019, but the controller stated such request was made only on 25 February 2020.
The data subject requested information on warranty repairs of his vehicle, carried out by a car repair shop, belonging to the controller.
On 28 August 2020, the controller provided part of the data requested and replied that information on warranty was not available from the controller and the complainant needed to contact the car repair shop concerned.
On 4 September 2020, the controller informed the complainant that the controller had requested the relevant car repair shop to provide information on service and warranty repairs.
On 15 September 2021, the controller sent the relevant service and technical data (such as service history) from its QV90 system to the complainant. The controller stated that the reason why QV90 data was not provided to the complainant in the first communication was due to the human factor. The controller apologised and ensured that the mistake would not happen again.
The controller submitted that the car repair shops were independent of the controller. It was the car repair shops that have carried out warranty and service work on the complainant’s vehicles. Therefore, it were the car repair shops that had to provide the data subject with information on warranty and service work, because these repair shops owned the customer relationship and held relevant information and data on such services. The controller claimed it did not handle service or service invoices. Since the service was provided by the independent car repair shop, hence the car repair shop was data controller for the service and warranty information. The controller pointed out that it did not have access to information relating to the car repair invoice for a particular warranty and service work carried out, hence could not provide such data to the complainant.
The controller added that it had been in constant communication with the data subject and had attempted to respond to its various requests.
Holding
The DPA considered that the information requested by the complainant on technical records and data from the vehicle guarantee, constituted personal data relating to the complainant, as they relate specifically to the applicant as the owner of the vehicle and that the data may be used to identify the complainant. The DPA supported its argument by reffereing to literature by Öman (8 Öman, S. Data Protection Regulation (GDPR) etc. 2, the commentary on Article 5, under the heading “First paragraph — Personal data”) and the EDPB guidelines 01/2020 on the processing of personal data.
Hence, the complainant is entitled to access and receive a copy of the data from the controller upon request in accordance with Article 15(1) and 15(3) of the GDPR. The DPA accepted the controller’s statements that the complainant’s request was received by the company on 25 February 2020. However, the DPA considered that this request was sufficiently clear and referred to all personal data relating to the complainant’s vehicles, including the data which the controller made available to the applicant only on 15 September 2021. The DPA held that, the controller should assume that the data subject intended to exercise his or her full right pursuant Article 15(1) to (2) GDPR in the event of a request for access. Since the controller only fulfilled the request 17 months after receiving it from the data subject, which was far beyond the general 1 month deadline of Article 12(3) GDPR, the DPA therefore found the controller violated Article 12(3) GDPR by not responding without undue delay to the complainant’s request of 25 February 2020 for access pursuant Article 15(3) only on 15 September 2021.
When calculating the amount of fines, the DPA considered the following factors: the infringement had affected one person and the controller had reviewed its procedures. The controller essentially satisfied the complainant’s right of access without undue delay by disclosing most of the information earlier and had now also granted the complainant access to all his personal data. The controller had not received any corrective action for breach of GDPR. Against this background the DPA considered this as a minor infringement within the meaning of recital 148 and issued a reprimand to the controller pursuant to Article 58(2)(b) of the GDPR. No fines were imposed on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(8) Notice: This document is an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) Swedish version of the decision is deemedly the authentic. Registration number: DI-2021-6140 ,IMI. Case no. 186981, A60FD 399045 Decision under the General Data Protection Regulation– Volvo Personvagnar AB Date of decision: 2022-05-13 Decision of the Swedish Authority for Privacy Protection (IMY) The Swedish Authority for Privacy Protection (IMY) finds that Volvo Personvagnar AB has processed data in breach of • Articles 12(3) of the General Data Protection Regulation (GDPR) by not without undue delay responding to the complainant’s request for access pursuant to Article 15 of GDPR, the 25 February 2020 only on 15 September 2021. The Swedish Authority for Privacy Protection issues PUA a reprimand pursuant to Article 58(2)(b) of the GDPR for the infringement of Article 12(3) of the GDPR. Report on the supervisory report The Swedish Authority for Privacy Protection (IMY) has initiated supervision regarding Volvo Personvagnar AB (the company) due to a complaint. The complaint has been submitted to IMY, as responsible supervisory authority for the company’s operations pursuant to Article 56 of the General Data Protection Regulation (GDPR) from the supervisory authority in the Ireland where the complainant has lodged their complaint in accordance with the Regulation’s provisions on cooperation in cross-border processing. The investigation in the case has been carried out through correspondence. In the light of a complaint relating to cross-border processing, IMY has used the mechanisms for cooperation and consistency contained in Chapter VII GDPR. The supervisory authorities concerned have been the data protection authorities in in Germany, Postal address: Finland, France, Ireland, Italy, the Netherlands, Norway, Poland, Portugal and Box 8114 Hungary. 104 20 Stockholm Website: www.imy.se E-mail: imy@imy.se 1 Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the Telephone: protection of natural persons with regard to he processing of personal data and on the free movement of such data, 08-657 61 00 and repealing Directive 95/46/EC (General Data Protection Regulation).The Privacy Protection AuthoritRegistration number: DI-2021-6140 2(8) Date: 2022-05-13 The complaint In March 2019, the complainant requested access to his personal data pursuant to Article 15 of the GDPR. The applicant requested, inter alia, information on warranty repairs, carried out by a car brand repair shop belonging to the company (the car repair shop). The company replied that information on warranty was not available from the company. What Volvo Personvagnar AB has stated The company has mainly stated the following. The company is the data controller for the processing to which the complaint relates. On 25 February 2020, the complainant submitted a request for access to personal data. The request concerned, inter alia, an invitation to provide information on the servicing of the complainant’s vehicle. On 3 March 2020, the car repair shop sent the complainant a copy of a service invoice. On 24 March 2020, the company sent a copy of the personal data containing information on the warranty repairs carried out, service on the vehicle and technical reports on the vehicle. On 2 April 2020, the complainant lodged a complaint to the company alleging that the car repair shop had indicated that the information on the warranty repair, could not be disclosed. On 14 April 2020, the complainant clearly stated that he wishes to have access to, inter alia, the following information: – correspondence between the complainant and the company’s customer service/carrier; – correspondence between the complainant and the workshops concerning the vehicle in question; – marketing; and – recall of vehicles; On 17 April 2020, the complainant received correspondence as set out above. At the same time, the company asked the complainant to clarify its request concerning marketing information and requests for correspondence with which country’s customer service was the subject of the request. On 14 May 2020, the complainant received a copy of the correspondence between the complainant, car repair shops and the company. On 17 June 2020, the complainant requested information on warranty repairs from the company. On 28 August 2020, a copy of the personal data was sent to the complainant with the following information on: – correspondence from the company’s customer service in the United Kingdom; – correspondence from the local Irish sales office including, inter alia, the date of the warranty repairs carried out;The Privacy Protection AuthoritRegistration number: DI-2021-6140 3(8) Date: 2022-05-13 – service performed for which the company has information, the vehicle (date of technical reports on the vehicles); and – a statement from a lawyer working for the company concerning what information the company doesn’t have and that the applicant needs to contact the car repair shop concerned. On 4 September 2020, the company informed the complainant that the company had requested the relevant car repair shop to provide information on service and warranty repairs. On 15 September 2021, the DPO sent a letter to the complainant and apologised for the handling of the request for information on warranty repair. In its reply, the company attached the following information. Data from the system QV90: – service history (date, metering, workshop and dealer), – roadside assistance insurance from the local system; – the next service date according to service intervals; – listing in free text about measures and warranty cases (date, metering, warranty case, so-called QB number), missing component, applied for costs from the workshop for work and materials, cost allocation (between sales company/importer and manufacturer). Information from the system of technical records from the time when the complainant owned the vehicle, as follows: – logs on the vehicle where it has been recorded in technical reports; – possible warranty cases (errors/problems that may occur on this vehicle and on which it is possible to call for a guarantee); – logs on completed warranty cases, reports such as problems with the vehicle where the workshop involves the support of the sales company and/or the support company. These reports are linked to the vehicle and the complainant. The company submits that the car repair shops are independent of the company. It is the car repair shops that have carried out warranty and service work on the complainant’s vehicles. It is for the car repair shops to provide the complainant with information on warranty and service work, as the workshops own the customer relationship and hold relevant information and data on such works. The complainant therefore needed to have a direct dialogue with the car repair shop on information concerning warranty and service provided. The company does not handle service or service invoices. Service is provided by the independent car repair shop and the car repair shop is data controller for the service information. The company points out that the reason why the data from the QV90 system and the technical notes were not sent to when the complainant in the first communication was due to the human factor. The company has now ensured that the mistake will not happen again. The company has been in constant communication with when the complainant and has attempted to respond to its various requests. The company points out when the complainant sought, in essence, information relating to the car repair invoice for a particular warranty and service work carried out, which is information to which the company did not have access to.The Privacy Protection Authority Registration number: DI-2021-6140 4(8) Date: 2022-05-13 Justification of the decision Applicable provisions, etc. Concept of personal data According to Article 4(1) of the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person The concept of ‘personal data’ may include all information, whether objective or subjective, provided that it ‘relates’ to a particular person, which it does if, by virtue of its content, purpose or effect, it is linked to that person. In the judgment of the Court of Justice of the European Union in Valsts ieņēmumu dienests, the Court held that the information requested by the Latvian tax authority, in particular data relating to the chassis numbers of the vehicles advertised on the operator’s web portal, constitutes personal data within the meaning of Article 4(1) of the GDPR. 3 The European Data Protection Board (EDPB) Guidelines 01/2022 on data subject rights - Right of access, inter alia: 51. Additionally, the controller needs to assess whether the requests made by the requesting persons refer to all or parts of the information processed about them. Any limitation of the scope of a request to a specific provision of Art. 15 GDPR, made by the data subjects, must be clear and unambiguous. For example, if the data subjects require verbatim “information about the data processed in relation to them”, the controller should assume that the data subjects intend to exercise their full right under Art. 15(1) – (2) GDPR. Such a request should not be interpreted as meaning that the data subjects wish to receive only the categories of personal data that are being processed and to waive their right to receive the information listed in Art. 15(1)(a) to (h). This would be different, for example, where the data subjects wish, with regard to data which they specify, to have access to the source or origin of the personal data or to the specified period of storage. In such a case the controller may limit its reply to the specific information requested. 104. The words “personal data concerning him or her” should not be interpreted in an “overly restrictive” way by controllers, as the Art. 29 Working Party already stated with regard to the right to data portability. Transposed to the right of access, the EDPB considers for example that recordings of telephone conversations (and their transcription) between the data subject that requests access and the controller, may fall under the right of access provided that the latter are personal data. [...] 150. It is the responsibility of the controller to decide upon the appropriate form in which the personal data will be provided. The controller can, although is not necessarily obliged to, provide the documents which contain personal data about 2Judgment of the Court of Justice of the European Union, Nowak, C-434/16, EU:C:2017:994, paragraphs 34-35. 3Judgment of the Court of Justice of the European Union, Valsts, C-175/20, EU:C:2022:124, paragraphs 34 and 36.The Privacy Protection AuthorityRegistration number: DI-2021-6140 5(8) Date: 2022-05-13 the data subjects making the request, as such and in their original form. The controller can for example, on a case-by-case basis, provide access to a copy of medium given the need for transparency (for example, to verify the accuracy of the data held by the controller in the event of a request for access to the medical file or an audio recording whose transcript is disputed). However, the CJEU, in its interpretation of the right of access under the Directive 95/46/EC, stated that “for [the right of access] to be complied with, it is sufficient for the applicant to be provided with a full summary of those data in an intelligible form, that is, a form which allows him to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him”. Unlike the directive, the GDPR expressly contains an obligation to provide the data subject with a copy of the personal data undergoing processing. This, however, does not mean that the data subject always has the right to obtain a copy of the documents containing the personal data, but an unaltered copy of the personal data being processed in these documents. Such copy of the personal data could be provided through a compilation containing all personal data covered by the right of access as long as the compilation makes it possible for the data subject to be made aware and verify the lawfulness of the processing. Hence, there is no contradiction between the wording of the GDPR and the ruling by the CJEU regarding this matter. The word summary in the ruling should not be misinterpreted as meaning that the compilation would not encompass all data covered by the right of access, but is merely a way to present all that data without giving systematically access to the actual documents. Since the compilation needs to contain a copy of the personal data, it should be stressed that it cannot be made in a way that somehow alters or changes the content of the information. EDPB Guidelines 01/2020 on processing personal data in the context of connected 4 vehicles and mobility related applications, inter alia: 3. In addition, connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers or passengers. Even if the data collected by a connected car are not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car. As an illustration, data relating to the driving style or the distance covered, data relating to the wear and tear on vehicle parts, location data or data collected by cameras may concern driver behaviour as well as information about other people who could be inside or data subjects that pass by. Such technical data are produced by a natural person, and permit his/her direct or indirect identification, by the data controller or by another person. The vehicle can be considered as a terminal that can be used by different users. Therefore, as for a personal computer, this potential plurality of users does not affect the personal nature of the data 29. Much of the data that is generated by a connected vehicle relate to a natural person that is identified or identifiable and thus constitute personal data. For instance, data include directly identifiable data (e.g., the driver’s complete identity), as well as indirectly identifiable data such as the details of journeys made, the vehicle usage data (e.g., data relating to driving style or the distance covered), or the vehicle’s technical data (e.g., data relating to the wear and tear on vehicle 4EDPB, Guidelines 01/2020 on processing staff data in the context of connected vehicles and mobility related applications, Version 2.0, adopted on 9 March 2021 following public consultation, paragraphs 3, 29 and 62; IMY translationThe Privacy Protection Authority Registration number: DI-2021-6140 6(8) Date: 2022-05-13 parts), which, by cross-referencing with other files and especially the vehicle identification number (VIN), can be related to a natural person. Personal data in connected vehicles can also include metadata, such as vehicle maintenance status. In other words, any data that can be associated with a natural person therefore fall into the scope of this document. 62. As noted in the introduction, most data associated with connected vehicles will be considered personal data to the extent that it is possible to link it to one or more identifiable individuals. This includes technical data concerning the vehicle’s movements (e.g., speed, distance travelled) as well concerning the vehicle’s condition (e.g., engine coolant temperature, engine RPM, tyre pressure). [...] In the preparatory work documents for the law ‘Road infrastructure charges and electronic toll systems’, the legislature noted that the very broad definition of personal data was the subject of discussion in the legislative file which resulted in the Law on road traffic registers and stated the following. In the field of road traffic there are both personal data and vehicle technical data. However, in some cases it may be difficult to determine to which category a particular task falls. A technical data of a vehicle should not be considered as personal data if it cannot be linked to the identity of the owner of the vehicle. On the other hand, an indication that a particular vehicle is subject to a driving ban refers to the owner of the vehicle in a specific way and it is therefore likely to be personal data. In the light of this statement, the Government considered in the 7 preparatory work for the Act on Congestion Tax that the registration number of a vehicle also relates to the owner of the vehicle in such a specific way that the task is to be regarded as personal data. The Government does not consider that there is now any reason to make a different assessment. In the literature, Öman states that vehicle registration numbers are examples of 8 information relating to an identifiable natural person. Right of access without undue delay The controller is obliged to provide any person who so requests with information on the processing or non-processing of personal data relating to the applicant. Processing such data shall, in accordance with Article 15 of the GDPR, provide the complainant with additional information as well as a copy of the personal data processed by the controller. According to Article 12(3) GDPR, the controller shall upon request without undue delay and in any event no later than one month after receiving the request for access and 9 respond to the data subject’s request. Assessment of the Swedish Authority for Privacy Protection (IMY) On the basis of the complaint in the case, IMY only examined the company’s conduct in the individual case and whether it provided a copy of the personal data relating to 5Prop. 2013/14:25 p. 85. 6Prop. 2000/01:95 p. 98. 7 8Prop. 2003/04:145 pp. 98 et seq. Öman, S. Data Protection Regulation (GDPR) etc. 2, the commentary on Article 5, under the heading “First 9aragraph — Personal data”. European Data Protection Board Guidelines 01/2022 on data subjects’ rights — right of access, version 1.0, adopted on 18 January 2022.The Privacy Protection AuthorityRegistration number: DI-2021-6140 7(8) Date: 2022-05-13 the complainant without undue delay. Supervision does not apply if the company’s personal data processing is otherwise compatible with the General Data Protection Regulation (GDPR). The IMY considers that the information requested by the complainant on technical records and data from the vehicle guarantee, constitute personal data relating to the applicant, since they relate specifically to the applicant as the owner of the vehicle and may be used to identify the complainant. In so doing, the complainant is entitled to access the data from the company upon request in accordance with Article 15 of the GDPR, inter alia, the information set out in Article 15(1) and a copy of the data pursuant to Article 15(3). The complainant has stated that the request for access was made in March 2019. On the other hand, the company has states that the applicant’s request for access was made only on 25 February 2020. IMY finds no reason to question the company’s statements that the applicant’s request was received by the company on 25 February 2020. However, IMY considers that this request was sufficiently clear and clear to refer to all personal data relating to the complainant’s vehicles, including the above- mentioned data which the company made available to the applicant only on 15 September 2021. This is because the complainant indicated in its request the type of information about his vehicle for which the complainant requested data and that the controller should assume that, in the event of a request for access, the data subject 11 intends to exercise his or her full right pursuant Article 15(1) to (2) of the GDPR. The request has thus been met 17 months after the external deadline of one month for: to deal with the request in accordance with the general rule in Article 12(3). IMY therefore considers that Volvo Personvagnar AB has not dealt with the complainant’s request for access pursuant Article 15(3) without undue delay within the meaning of Article 12(3) of the GDPR. The fact that most of the information was disclosed earlier and that the company stated that the error was attributable to the human factor, does not cause any other assessment. In the light of the above, IMY concludes that Volvo Personvagnar has processed the complainant’s personal data in violation of Article 12(3) of the GDPR by not responding without undue delay to the complainant’s request of 25 February 2020 for access pursuant Article 15(3) only on 15 September 2021. Choice of corrective measure It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the power to impose administrative fines in accordance with Article 83. Depending on the circumstances of the case, administrative fines shall be imposed in addition to or in place of the other measures referred to in Article 58(2), such as injunctions and prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into account when deciding on administrative fines and in determining the amount of the fine. In the case of a minor infringement, as stated in recital 148, IMY may, instead of imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is 10Cf. EDPB Opinion 01/2020 on Connected Vehicles, paragraphs 3, 29 and 62. 11Cf. EDPB Guidelines 01/2022 on data subjects’ rights — right of access, version 1.0, adopted on 18 January 2022, paragraph 51.The Privacy Protection AuthorityRegistration number: DI-2021-6140 8(8) Date: 2022-05-13 the aggravating and mitigating circumstances of the case, such as the nature, gravity and duration of the infringement and past relevant infringements. IMY notes the following relevant facts. The infringement has affected one person and the company has reviewed its procedures. The company essentially satisfied the complainant’s right of access without undue delay and has now also granted the complainant access to all his personal data. The Company has not received any corrective action for breach of GDPR. Against this background IMY considers that it is a minor infringement within the meaning of recital 148 and that Volvo Personvagnar AB must be given a reprimand pursuant to Article 58(2)(b) of the GDPR. This decision has been approved by the specially appointed decision-maker after presentation by legal advisor How to appeal If you want to appeal the decision, you should write to the Authority for Privacy Protection. Indicate in the letter which decision you appeal and the change you request. The appeal must have been received by the Authority for Privacy Protection no later than three weeks from the day you received the decision. If the appeal has been received at the right time, the Authority for Privacy Protection will forward it to the Administrative Court in Stockholm for review. You can e-mail the appeal to the Authority for Privacy Protection if it does not contain any privacy-sensitive personal data or information that may be covered by confidentiality. The authority’s contact information is shown in the first page of the decision.